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Abstract 

We introduce regular graph constraints and explore their 
decidability properties. The motivation for regular graph 
constraints is 1) type checking of changing types of objects 
in the presence of linked data structures, 2) shape analysis 
techniques, and 3) generalization of similar constraints over 
trees and grids. 

Typestate checking for recursive and potentially cyclic 
data structures requires verifying the validity of implication 
for regular graph constraints. The implication of regular 
graph constraints also arises in shape analysis algorithms 
such as role-analysis and some analyses based on three- 
valued logic. 

Over the class of lists regular graph constraints reduce to 
a nondeterministic finite state automaton as a special case. 
Over the class of trees the constraints reduce to a nonde- 
terministic top-down tree automaton, and over the class of 
grids our constraints reduce to domino system and tiling 
problems. 

We define a subclass of graphs called heaps as an ab- 
straction of the data structures that a program constructs 
during its execution. We show that satisfiability of regu- 
lar graph constraints over the class of heaps is decidable. 
However, determining the validity of implication for regu- 
lar graph constraints over the class of heaps is undecidable. 
The undecidability of implication is the central result of the 
paper. The result is somewhat surprising because our sim- 
ple constraints are strictly less expressive than existential 
monadic second-order logic over graphs. In the key step 
of our proof we introduce the class of corresponder graphs 
which mimic solutions of Post correspondence problem in- 
stances. We show undecidability by exhibiting a character- 
ization of corresponder graphs in terms of presence and ab- 
sence of homomorphisms to a finite number of fixed graphs. 

The undecidability of implication of regular graph con- 
straints implies that there is no algorithm that will verify 
that procedure preconditions are met or that the invariants 
are maintained when these properties are expressed in any 
specification language at least as expressive as regular graph 
constraints. 

*This research was supported in part by DARPA Contract F33615- 
OO-C-1692, NSF Grant CCROO-86154, NSF Grant CCROO-63513, and 
the Singaporc-MIT Alliance. 
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1 Introduction 

Types capture important properties of objects in the pro- 
gram. In an imperative language properties of objects 
change over time. It is therefore desirable that types cap- 
ture changing properties of objects. A typestate system is 
a system where types of objects change over time. A simple 
typestate system was introduced in |2^, more recent exam- 
ples include 1141 1231 1281 We view typestate as a step 
towards statically checking properties of objects |17l l8|. 

One of the difficulties with defining object properties in 
object-oriented languages is that a property of an object may 
depend on properties of other objects in the heap. Some sys- 
tems allow programmers to identify properties of an object 
X in terms of properties of objects y such that x references 
y. The idea that important properties of an object x may 
depend on properties of objects z such that z references x 
was introduced in the role system |14| . 

In general, properties of objects may be mutually recur- 
sive and the referencing graph of objects may be cyclic. Due 
to cycles in the heap the least fixpoint solution for the recur- 
sive object properties is not acceptable because there is no 
basis to ground the inductive definitions of these properties. 
We therefore say that a heap satisfies a set of properties if 
there exists some choice of predicates that satisfy the mutu- 
ally recursive definitions. The existential quantification over 
predicates leads to constraints that have the form of exis- 
tential monadic second-order logic y\. For a presentation 
of role analysis and related systems from the perspective of 
monadic second-order logic, see 1-3 . 

In this paper we present a very simple form of constraints 
that we call regular graph constraints. A set of regular graph 
constraints can be specified by a single graph G. A heap H 
satisfies the constraints iff there exists a graph homomor- 
phism from H to G. Regular graph constraints abstract the 
problem of mutually recursive definitions of properties over 
potentially cyclic graphs. The existential quantification over 
predicates is modeled in regular graph constraints as the ex- 
istence of a homomorphism to a given fixed graph. Regular 
graph constraints are closed under conjunction and in cer- 
tain cases are closed under disjunction (Section l2.9t . More- 
over, regular graph constraints generalize the notion of tree 



automata |27ll^ and domino systems I12| . without going all 
the way to monadic second-order logic for richer domains. 
In this paper we consider as the domain of interpretation 
the class of heaps. Our notion of heap is an abstraction 
of garbage collected heap in a programming languages like 
Java or ML. Heaps contain a "root" node and a "null" node, 
all nodes are reachable from the root, and all edges are total 
functions mapping nodes to nodes. 

In Section 12.81 we show that there is a simple and ef- 
ficient algorithm that decides if regular graph constraints 
have a heap model. This results in a simple sanity test 
on regular graph constraint specifications that rules out the 
contradictory specifications. 

We next turn to the problem of checking if one set of reg- 
ular graph constraints implies another set of regular graph 
constraints over the set of heaps. Our main contribution 
(Section is the proof that the implication problem is un- 
decidable. 

The implication problem of graphs arises in composi- 
tional checking of programs if procedure preconditions or 
postconditions are given as regular graph constraints. In 
Section 13.5.41 we show that the implication problem also 
arises when proving that an invariant holds after every pro- 
gram step. These verification problems are therefore unde- 
cidable. Our result places limitations on the completeness 
of systems such as role analysis |14| and shape analysis |20| 
that use homomorphic images to represent the abstraction 
of the heap. The undecidability of regular graph constraints 
means that semantically checking the implication of such 
homomorphic graph images is undecidable. 

A common way of showing the undecidability of problems 
over graphs is to encode the Turing machine computation 
histories 22 as a special form of graphs called grids. The 
difficulty with showing the undecidability of implication of 
regular graph constraints is that regular graph constraints 
cannot define the subclass of grids among the class of heaps. 
Indeed, this is why satisfiability of regular graph constraints 
over heaps is decidable. To show the undecidability of the 
implication of regular graph constraints, we use the con- 
straints on both sides of the implication to restrict the set 
of possible counterexample models for the implication. For 
this purpose we introduce a new class of graphs called cor- 
responder graphs. Satisfiability of regular graph constraints 
over corresponder graphs mimics the solution of a Post cor- 
respondence problem instance, and is therefore undecidable. 
We give a method for constructing an implication such that 
all counterexamples for the validity of implication are cor- 
responder graphs which satisfy a given regular graph con- 
straint. This shows that the validity of the implication is 
undecidable. 

Due to closure under conjunction, the implication is re- 
ducible to the equivalence of regular graph constraints. As 
a result, the equivalence of two regular graph constraints is 
also undecidable. 

2 Regular Graph Constraints 

In this section we define the class of graphs considered 
in this paper as well as its subclasses heaps, trees, lists, 
grids, and corresponder graphs. We present our regular 
graph constraints, give several equivalent formulations of 
the constraints and show that our constraints capture tree 
automata and domino systems as special cases. We then 
review some decidability properties, show that satisfiability 



of regular constraints over heaps is efficiently decidable and 
state some closure properties of regular graph constraints. 

2.1 Preliminaries 

If r C yl X B and S A, relational image of set S under r 
is defined as 

r[S] = {y\xeS, {x,y) G r} 

We use ■ to mark the end of a proof and ♦ to mark the end 
of an example. 

2.2 Graphs 

We will be considering the following class of directed graphs 
in this paper. Our graphs contain two kinds of edges, which 
we represent by relations si and S2. These relations may 
represent fields in an object-oriented program. The constant 
root represents the root of the graph. We use edges termi- 
nating at null to represent partial functions and abstractions 
of graphs with partial functions. 

Definition 1 A graph is a relational structure 
G = (y, si, S2, null, root) 

where 

• V IS a finite set of nodes; 

• root, null G V are distinct constants, root 7^ null; 

• si, S2 V X V are two kinds of graph edges, such that 
for all nodes x 

(null,^) G Si iff X = null 

fori G 1,2. 

We use Q to denote the class of all graphs. 

An si-successor of a node x is any element of the set si[{a;}], 
similarly an S2-successor of x is any element of S2[{a::}]. Note 
that there are exactly two edges originating from null. When 
drawing graphs we never show these two edges. 

Definition 2 A heap is a graph G = (V^, si, S2, null, root) 

where relations si and S2 are total functions and where for 
all X 7^ null, node x is reachable from root. We use Ti. to 
denote the class of all heaps. 

Definition 3 The in-degree of a node x in a graph is the 
number of edges terminating at x. 

inDegree(x) = \{y \ 3i {y,x) G Si}\ 

Definition 4 A tree is a connected acyclic graph such that 
inDegree(2;) < 1 for every node x. 

Definition 5 A list is a tree with at most one non-null out- 
going edge: for every node x, s\{x) — null or S2(x) = null. 
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2.3 Graphs as Constraints 

A regular constraint on a graph G is a constraint stating 
that G can be homomorphically mapped to another graph 
G'. 

Definition 6 We say that a graph G satisfies the con- 
straints given by a graph G' , and write G G' , iff there 
exists a homomorphism from G to G' . 

A homomorphism between graphs is defined as follows. 

Definition 7 A function h : V V is a homomorphism 
between graphs 

G — {V, si, S2, null, root) 

and 

G' = {V' , s'l, S2, null', root') 
iff all of the following conditions hold: 

1. {x,y) £ Si implies {h{x),h{y)) £ s'i, for alii £ {1,2} 

2. h(x) — root' iff X = root 

3. h{x) = null' iffx = null 

// there exists a homomorphism from G to G' , we call G a 
model for G' . 

We can think of a homomorphism h : V ^ V' as a, coloring 
of the graph G. The color h{x) of a node x restricts the 
colors of the si-successors of x to the colors in si [{/i(a;)}] and 
the colors of the S2-successors to the colors in S2[{fe(a;)}]. 

Example 8 A graph G can be colored by k colors so that 
the adjacent nodes have different colors iff G is homomorphic 
to a complete graph without self-loops, 

G' = {V' , s'l, S2, null', root') 

with V' = {1, . . . and 

s'l = S2 = {{x\y') 1 x' / y'}. 

♦ 

The identity function is a homomorphism from the graph to 
itself. Therefore, G ^ G for every graph G. The following 
fundamental property of homomorphisms also holds. 

Proposition 9 (Homomorphisms compose) Let 

G — (V^si, S2, null, root) 
G' = (Vs'i,S2, null', root') 
G" = (T>s'i',s'2', null", root") 

and let h : G G' and h' : G' G" be homomorphisms. 
Then ho : G —> G" where ho = h' o h is also a homomor- 
phism. 

A consequence of Proposition El is that — > is a transitive 
relation. 

Definition 10 (Satisfiability) A graph G' is satisfiable 
over the class of graphs C iff there exists a graph G £ C 
such that G —> G' . Satisfiability problem over the class of 
graphs G is: given a graph G' , determine if G' is satisfiable. 



Definition 11 (Implication) We say that Gi implies G2 
over the class of graphs C, and write 

Gi -^c G2, 

iff 

{H Gi) implies {H G2) 
for all graphs H £ C. 

We will omit G in -^c if the class of graphs is clear from 
the context. 

The following fact provides a sufficient condition for the 
graph implication to hold. It is a direct consequence of 
Proposition El 

Proposition 12 Let C be any class of graphs. Let G ^ G' . 
ThenG-^c G' . 

In Sectional we show that the implication of graphs is un- 
decidable over the class of heaps. 

2.4 Paths 

We next state several simple properties of paths that will be 
useful in Section |3 

Definition 13 (Path) Let 

G = {V, si, S2, null, root) 

be a graph and n > 0. A path in graph G, denoted p £ 
Paths(G) starting at xo and terminating at x„ is a sequence 
of alternating nodes and labels: 

P — Xo,lo, Xl,ll, . . . , l„~l,Xn 

such that xo,...,x„ £ V; lo,...,ln-i £ {li 2} and 
{xi,Xi+i) £ Si for all i, < i < n. We define word(p) £ 
{1,2}* by 

word(p) = loh . . . In-i 

Definition 14 (Slice) A path is a slice if it starts at root 
and terminates at null. 

Definition 15 (Path Image) Let h be a homomorphism 
from graph Go to graph G and let 

P — Xo,lo, Xl,ll, . . . , ln-\,Xn 

be a path in Go- Then 

h[p\ = h{xo),lo, h{xi),li,. . . ,ln-l,h{Xn) 

is the image of path p under the homomorphism h. 

The following facts are a consequence of the definition of 
homomorphism. 

Proposition 16 Let h be a homomorphism from graph Go 
to graph G and let p be a path in Go • Then 

1. h[p] IS a path in G; 

2. if p IS a slice then h[p] is a slice; 

3. word(p) = word(/i[p]). 
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Definition 17 Let p be a path in G and e be a regular ex- 
pression over the alphabet {1,2}. We write 

P &p e 

iffvjord{p) belongs to the language of the regular expression 
e. 

From Proposition 1 1 61 we directly obtain the following fact. 

Proposition 18 (Regular Expression Test) Let Go ^ 

G. Then if e is any regular expression over the alphabet 
{1,2} such that Go contains some slice p £p e, then G con- 
tains some slice p' €p e. 

Proof. Let p be a slice in Go and word(p) Gp e. 
By Proposition 1161 we have that h[p] is a slice in G and 
word(/i[p]) = word(p) £p e. ■ 

We will use the contrapositive of Proposition ll8l in the proof 
of Proposition 1371 (Section |3J . 

2.5 Regular Constraints and EMSOL 

We can express the property of being homomorphic to a 
fixed graph G' by an existential monadic second-order logic 
formula (EMSOL) of a special form. 
Let 

G' — (V', s'l, S2, null', root') 

be a fixed graph and let V' = {x'o, . . . , 3;^_i} with x'o = null', 
x'l = root'. Then Q is a formula in EMSOL interpreted over 
the graph 

G = (y, si, S2, null, root) 

expressing that G is homomorphic to G'. We use the up- 
percase identifiers Xo, . . . , X^-i to denote the second order 
variables. These variables range over the subsets of V . The 
lowercase identifiers are first-order variables ranging over the 
elements of V. Notation Xi(yZ) means that z is an element 
of the set Xi. The predicate Si{x,y) means that {x,y) £ Si 
holds in the graph G. (For the precise definition of monadic 
second-order logic see e.g. [10) . pp28.) 

3Xo, . . . , Xk-i- 
partit(Xo, . . . , Xk-i) A singl(Xo, null) A singl(Xi, root) A 

yx A {x,{x) ^ p,ix)) 

0<j<k 

(1) 

where 

P,{x)^P^{x)APf{x) 
P;{x)^yy. s,{x,y)^ V Xi{y) 

0<l<k 

singl(X,y) = (Vz. X(z)^y = z) 
partit(yo,.--,V'n-i) = 

Vx. V A A --{y^{3:) AY,{x)) 

0<i<n 0<i<j<n 

Viewing graph as a formula justifies our previous defini- 
tions of graph satisfiability and implication. We can simi- 
larly talk about the graph conjunction, disjunction etc. 

We may increase the ease of expression of some prop- 
erties by relaxing the form of EMSOL formula Q without 
changing the expressive power. The reason is that that the 



relaxed form can be converted into a normal form that can 
be described by a graph homomorphism. Let 

Bf{Bo, Bi, . . . , B 

n — 1,^0, ■ • ■ ,^m — ij 

denote an arbitrary propositional combination of formu- 
las Bo, . . . , Bn-i,Ao, . . . , Am-i in which Bo, . . . , B„-i oc- 
cur only negatively. Then every formula of the following 
form is expressible as a graph constraint. 

3Xo, ■ ■ . ,Xfe_i.singl(Xo, null) Asingl(Xi, root) A 

VxVi/. Bi(si{x,y); 

^Xo{x),...,Xk^i{x), 

Xo(y),...,Xfe_i(y)) A (2) 

B2(s2{x,y); 

^Xo{x),...,Xk-i{x), 

Xo(y),...,Xfe_i(y)) 

Compared to the form ^ does not require Xo, . . . , Xk~i 
to form a partition of the set of all nodes, it has the quanti- 
fiers from Pj lifted to the topmost level, and allows arbitrary 
propositional combinations of predicates Xi{x) and Xi{y). 

Example 19 The following formula is of the form J^J. Let 
us assume that the formula is interpreted over the class of 
heaps. The formula states that the node root has in-degree 
0. 

3Xo,Xi,X2. singl(Xo, null) A singl(Xi, root) A 
WxWy. -^{Xi{x) A X2{x)) A {Xo{x) ^ X2{x)) A 

si{x,y)^ ( {X^{x) ^ X2iy)) A 

{X2{x)^X2{y))) 
S2{x,y)^ -^Xi{y) 

The formula uses the set X2 that contains null as well as the 
nodes reachable from root along the si edges. The formula 
states explicitly that Xi and X2 are disjoint. Because si 
edges from X2 can only lead to X2, there are no si edges to 
root. The constraint that root has no S2 edges is specified 
directly, without introducing an auxiliary set of nodes. In 
general, negation and the implicit absence of constraints are 
often more convenient to express with a formula than with 
a graph homomorphisms. 

Note that if we replaced the subformula {Xo{x) ^ 
X2{x)) with -n{Xo{x) A X2{x)) the resulting formula would 
require the existence of a cycle in the graph. 

♦ 



Proposition 20 The two families of formulas and 
denote the same family of sets of graphs. 

Proof. (Sketch) 

Given a formula of form we construct a formula of 
form Q by transforming 

X,{x)^P}{x)APf{x) 

into Xj{x) P}{x) and Xj{x) Pf{x). This allows us 
to write constraints on si and S2 separately. We then lift 
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the universal quantification over y to the top leveL The 
partition constraint is expressible as a formula that has no 
occurrences of Si. 

Conversely, suppose we are given a formula in form ((2J 
and suppose that the formula holds for a graph G with the 
set of nodes V . This means that there exist sets S\, . . . , Sk-i 
that satisfy B\ and B2- We construct a family of sets 
that forms a partition of set V such that every set 
Sj is expressible as a union of some sets Ti-^,...,i^_i ■ Namely, 
we define 

where io, . . . ,ik-i £ {0, 1} and 

s° = s 
= v\s 

This motivates a construction where the second-order vari- 
ables Xq, Xi,X2, . . . , Xk-1 are replaced with up to 2 + 2'^~^ 
new variables Xo,Xi, Yo, ■ ■ ■ , Yn-i. We then express vari- 
ables X2, ■ ■ ■ , Xk-i in terms of Xo, Xi, Yo, . . . , ^71-1, write 
the boolean combinations Bf in disjunctive normal form and 
use the fact that Xo,Xi , Yo, ■ • ■ , Y„-\ denote disjoint sets. 
As a result, it is possible to write the original formula in 
form Q. ■ 

Note that, over any class containing all heaps, not every 
EMSOL formula corresponds to a regular graph constraint. 
This is in contrast with trees |27) and grids :T23 . Even first- 
order logic can express a constraint that the graph is a grid. 
On the other hand, we have shown in pp93) that not 

even constraints stronger than regular graph constraints can 
express the gridness property. 

For a normal form construction using full existential 
monadic second-order logic see see |21) . For using higher 
order logic to express heap properties more general than 
regular graph constraints, see |15) . 

2.6 Related Systems 

In this section we show the relationship of our regular graph 
constraints with some other systems for defining sets of 
graphs. We also illustrate that decidability of satisfiability 
and implication are sensitive to the subclass of the graphs 
considered, and change in a non-monotonic way. 

2.6.1 Words 

Regular graph constraints over lists correspond to regular 
word languages. A regular graph constraint corresponds to 
a nondeterministic finite state automaton with the initial 
state root and the final state null. 

2.6.2 Trees 

Satisfiability and implication of regular graph constraints 
are decidable over the class of trees. The reason is that the 
entire MSOL is decidable over trees |27| . and regular graph 
constraints are expressible in MSOL. 

2.6.3 Pictures 

Domino systems |12) are regular graph constraints over the 
grids. 



Definition 21 A grid m x n is a graph isomorphic to 
G = (V, si, S2, null, root) 

where 

V = {1, . . . ,m} X {1, . . . ,n} 

si = ihj + 1» I 1 < i < m; 1 < j < n - 1} U 

{((i,n),null) I 1 < i < m} 
S2 = {((i,J>,(j+i,j)) i l<i<m-l;l<j<n} U 

{((j,m>,null> I 1 < j <n} 
root = (1, 1) 

The chapter |12| uses the term pictures for grids. It is 
easy to see that over the domain of grids, regular graph 
constraint are equivalent to a domino system with si edges 
denoting horizontal dominoes and S2 edges denoting vertical 
dominoes. The graph homomorphism corresponds to the use 
of projection. 

states the equivalence of domino systems over pic- 
tures with negation-free regular expressions with projec- 
tions, on-line tessellation automata, existential monadic 
second-order formulas and tiling systems. 

We view the fact that, over the grids, regular graph con- 
straints are equivalent to each of the systems above as an 
indication that the definition of regular graph constraints is 
natural. 

Note When comparing our regular graph constraints to 
trees and domino systems, we notice that in our defini- 
tion of a model there are no fixed labels associated with 
nodes. The only labeling of nodes comes from the graph ho- 
momorphism, which corresponds to projection in tree and 
picture languages. Our simplification makes our undecid- 
ability result strictly stronger. Furthermore, regular graph 
constraints can capture the distinction between a node with 
an edge terminating at null and a node with an edge termi- 
nating at a node that is not null. This distinction can be 
used for encoding in the structure of the graph any fixed 
labeling of graph nodes. 

2.7 Decidability of Implication over Graphs 

Satisfiability problem over the class of graphs is trivial. 
Namely, G ^ G, so every graph is satisfiable. The im- 
plication problem over graphs is also decidable, in contrast 
to the implication problem over the class of heaps, which we 
will show undecidable in Section |3 

Proposition 22 

Gi G2 iff Gi G2 

Proof. Let Gi -^g G2. Because Gi Gi, we obtain 
Gi ^ G2. Conversely, let Gi ^ G2. By Proposition 1121 we 
conclude Gi ~>g G2. ■ 

Our regular graph constraints are weaker than finite graph 
acceptors of 26 . It is easy to see that finite graph acceptors 
can define the gridness property. Therefore, domino sys- 
tem satisfiability is reducible to satisfiability of finite graph 
acceptors, which makes finite graph acceptor satisfiability 
undecidable. 
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GraphCleanup: Repeat the following operations until the 
graph stabilizes: 

1. remove an unreachable node 

2. remove a node x such that si[{a;}] = or S2[{a;}] = 
mark(x): 

1. if X is marked then return, otherwise: 

2. select(x); 

3. pick a si-successor y of x; se\ect{{x,y)); mark(i/) 

4. pick a S2-successor z of x; select ( (x, ?/)); mark(2:) 

SatisfiabilityCheck: Repeat the following operations until 
the graph stabilizes: 

1. perform GraphCleanup; 

2. if the resulting graph is empty, then G' is unsatisfiable; 

3. otherwise a heap satisfying G' can be obtained as follows: 

4. let all graph nodes be unmarked; 

5. mark(root); 

6. return subgraph containing selected nodes 

Figure 1: Satisfiability check for Heaps 

2.8 Satisfiability over Heaps 

We show that satisfiabihty for heaps is efficiently decidable 
by the nondeterministic algorithm in Figure The goal of 
the algorithm is to find, given a graph G' , whether there 
exists a heap G such that G ^ G' . Recall that the property 
of a heap is that every node has exactly one si outgoing 
edge and exactly one S2 outgoing edge. This property need 
not be satisfied by G', so we cannot take G = G' to be the 
heap proving satisfiability of G'. The algorithm updates the 
current graph until it becomes a heap or an empty graph. 
(For the purpose of this algorithm we allow even null and 
root to be removed from the graph.) If nonempty, the result 
is a heap G such that G — * G'. 

Proposition 23 The procedure in Figure^is a correct al- 
gorithm for determining satisfiability of a graph over the 
class of heaps. 

Proof. The procedure consists of two parts: GraphCleanup 
and SatisfiabilityCheck. The GraphCleanup part eliminates 
useless nodes and determines whether there exists a heap H 
such that H —> G' . Graph Cleanup terminates because it 
decreases the size of the current graph G in every step. The 
mark phase terminates because it does a simple breadth-first 
search. 

Observe that GraphCleanup does not reduce the set of 
heaps homomorphic to G'. Namely, if a node a; of G is 
removed in GraphCleanup, then no node is mapped to x 
under any homomorphism h. Therefore, if GraphCleanup 
returns an empty graph, then G' is unsatisfiable. 

Assume that GraphCleanup returns a nonempty graph 
G. Then G contains root and every node in x has a si- 
successor and a S2-successor, but some of the nodes may 



have two si-successors or S2-successors. Invoking mark 
will do a depth-first search on G and pick a subgraph H 
where every node has exactly one si-successor and one S2- 
successor. The resulting graph H will therefore be a heap. 
We have H ^ G' because is a subgraph of G'. ■ 



2.9 Closure Properties 

In this section we give a construction for computing the con- 
junction of two graphs and a construction for computing the 
disjunction of two graphs. We will use these constructions 
in Section 13 

2.9.1 Conjunction 

We show how to use a Cartesian product construction to 
obtain a conjunction of two graphs Gi and G2. 

Definition 24 (Cartesian Product) Let 

G^ = (V\s;,sLnull\root^) 
G^ = (V^s?,si,null^root2) 

be graphs. Then G" = G^ x G^ is the graph 

r^O /T/0 ||0 .0\ 

G = {V , Si, S2, null , root ) 

such that: 
null" = (null^nulP) 
root" = (root\root^) 
V° = {null", root"} 

U {V'^ \ {nullS root^}) x (V'^ \ {null^ root^}) 
si = {{{x\x^),{y\y''))\{x\y^)esh{x\y'')(is'i}, 
iG{l,2} 

Proposition 25 (Conjunction via Product) For every 
graph G, 

G -> Gi X G2 iff G^Gi andG-^ G2 

In other words, Gi x G2 is a conjunction of Gi and G2 . 

Proof. (^) : Let G ^ G^ and G G^ with h^ : V 

and h'^ : V ^ where G^ and G^ are defined as in 
Definition 1241 and 

G — {V, si, S2, null, root) 

Let h'^ = X h'^ where 

{h^ X h'^Xx) = {h\x),h''{x)} 

We claim that ft" is a homomorphism from G to G" = 
G^ X G^. It is straightforward to verify that properties 2 
and 3 of homomorphism hold for ft". Let i G {1,2}. If 
{x,y) G Si then {h^{x),h^{y)) £ s] and {h^ (x) , h'^ (y)) G sf- 
Because and ft^ satisfy properties 2 and 3 of homomor- 
phism, we have {h^{x),h^{x)),{h^(y),h^{y)) G V" regard- 
less of whether x,y £ {null, root} or not. We therefore con- 
clude {{h^{x),h'^{x)),{h^{x),h'^(y)}) G s° by the definition 
of s". Hence, ft" is a homomorphism and G — > G". 
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(^) : Let G ^ G° with h° -.V -*V°. Define = ttio/i 
and /i^ = 712 o /i. Let's show that is a homomorphism (an 
analogous argument holds for ^2). It is straightforward to 
see that properties 2 and 3 hold for hi. For property 1, 
let i € {1,2} and let {x,y} G Si. Let h°{x) = (1^,1^) and 
h°{y) ~ {y^,y^). Because /i" is a homomorphism, we have 

((a;\a;^>, (y\y^>> G s° 

By definition of s° we conclude {x^,y^) £ sj which by defi- 
nition of means {h}{x),h}{y)) £ s}. ■ 



2.9.2 Disjunction 

Given our definition of graphs, there is no construction that 
would yield disjunction of arbitrary graphs over the fam- 
ily that contains all heaps. We illustrate this fact with an 
example. We then give a simple condition on graphs that 
ensures that the disjunction construction is possible over the 
domain of heaps. 

Example 26 Let 



— ({root, null}, Sj, S2, root, null 
s\ = {(root, null)} 
s\ = {(root, root)} 



and 



si 
si 



({root, null}, Si, S2, root, null 
{(root, root)} 
{(root, null)} 



In the class of heaps, the only model for G^ is G^ itself, and 
the only model of G^ is G^ . Now assume that there exists 
graph 

G° = (l/°,s'i',s^, null, root) 

such that ^ G" and G^ G". From G^ ^ G° we 
conclude 

(root, null) G 
and from G^ G° we conclude 

(root, null) G 3° 

Therefore for the graph 

G^ = ({root, null}, sf, si, root, null) 
s? = {(root, null)} 
S2 = {(root, null)} 

we have G3 G" as well. So there is no graph G" such that 
for all heaps G, 

(G^G°) iff ((G-^ G^) or (G-^ G^)) 



To ensure that we can find union graphs over the set of 
heaps, we will require S2(root) = null. 

Definition 27 (Orable Graphs) A graph 

G = (V, si, S2, null, root) 

is orable iff for all x £V , 

(root,!) G S2 iff X — null 




null 



null 




2 ^ null 



Figure 2: Graph Sum 

Definition 28 (Graph Sum) Let 

G^ = (T/\ si, s^, null, root) 
G^ = (T/^s?, si, null, root) 

he orable graphs such that D — {null, root}. Then 
G° = G^ + G^ is the graph 



G° = (V^s;, si, null, root) 



where 



s? = si U si 

^2 ~ S2 U S2 

The following simple fact allows us to form arbitrary finite 
sums of orable graphs. 

Proposition 29 // G^ and G^ are orable graphs, then G^ + 
G^ is also orable. 

Proposition 30 (Disjunction via Sum) Let G be a 

heap and G^ and G^ be orable graphs. Then 

G^G' +G^ iff G^G^ orG^G^ 

Proof. ■ Assume without loss of generality G ^ G^. 

Because G^ is a subgraph of G^ +G^, there exists an identity 
homomorphism from G^ into G^ +G^. By Proposition El we 
conclude G ^ G' + G^ 

(=>) : Let G" = G^ + G^ where G^ and G^ are as 
as in Definition 1281 and G ^ G'^ with a homomorphism 
h:V ^V'^ where 



We claim 



G = (V, si, S2, null, root) 
h[V] C or h[V] C 



(3) 



Suppose the claim does not hold. Then there exist x^ ,y^ G 
V such that 

x' G V^\V^ 

where x^ = h{x'^) and y^ — h{y^). By definition of heap, 
there exists a sequence of nodes p = root, , . . . , forming 
a path from root to x° in G. Because ^ {null, root}, the 
path has length at least two and ^ {null, root} (it may 
or may not be = x^). Because G^ -I- G^ is orable, the 
edge from root to 2:" cannot be from S2, so si(root) — 2". 
We claim h{z°) G \ . Indeed, suppose /i(z°) G . 
By the properties of homomorphism and because in G^ -I- 
G^ there are no edges from nodes \ {null, root} to nodes 
\ {null, root}, we have h{w) G for every node w of the 
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path p. This is a contradiction with h{x°) £ \ V^. We 
conclude 

2° e \ 

Repeating an analogous argument for node y", we conclude 

because = si(root) is the unique si-successor of root in 
the heap G. We have arrived at contradiction, so is true. 
If h[V] C then G ^ and if h[V] C then G -» G^ . 
■ 

A product of orable graphs is orable. 

Proposition 31 Let G^ and G^ be orable graphs. Then 
G^ X is orable. 

In the sequel we will deal only with orable graphs. 
3 Undecidability of Implication 

This section presents the central result of this paper: The 
implication of graphs is undecidable over the class of heaps. 
Our proof proceeds in two steps. We first introduce a family 
of corresponder graphs. We show that satisfiability of graphs 
over the family of corresponder graphs is undecidable. 

In the second step we show that satisfiability over cor- 
responder graphs can be reduced the question of whether 
an implication between two graphs fails to hold. The key 
to the construction in the second step is that a conjunction 
of certain regular graph constraints and negations of regu- 
lar graph constraints can precisely characterize the class of 
corresponder graphs. 

3.1 Corresponder Graphs 

Corresponder graphs are a subclass of the class of heaps. 
Figure 13 shows an example corresponder graph. 

Definition 32 Let k > 2, n > 2, and 

= no < Ml < . . . < Uk-i < n 
Q = h < h < ... < Ik-i < n 

A corresponder graph 

CG(n, fc,iti, . . . , -Ufc_i, Zi, . . . , /fc_i) 

is a graph isomorphic to 

G — {V, si, S2, null, root) 

where 

V = {null, root} 

U {Co, Ci, . . . , C2fc-i} 

U {Uo,Ul,...,U2n~l} 
U {I/O, Ll, . . . , L2n-l} 

Si = {(root, Co)} 

U {{C^,C^+l)\0<i<2k-l} 

U {(C2fc-i,null)} 

U {([/,, (7,+i) i < i < 2n- 1} 

U {([/2„-i,null)} 

U {(L,,L,+i) I < j < 2n- 1} 



U {{L2n-i,null)} 

S2 = {(root, null)} 

U {(C2„(72„.) |0<i<fc} 

U {(C2,+l,L2i, + l) I < 2 < fc} 

U {{U2„ L2,) \ < i < n} 

U {(L2i+i,(72i+i) 1 < z < n} 

U |((/2«+i,null) \ ie{0,...,n-l}\{lo,...,lk~i}^ 

U |((/2i+i, root) I 2 G {^0, . . . , ^fc-i}| 

U {{L2^,nu\\) \ t e {0,...,n~l}\ {uq, . . . ,Uk-i}^ 

U |(L2i, root) I i e {tio, . . . ,itfc_i}| 

The family CG is the union of all corresponder graphs 
CG(n, k,ux,... ,Uk-i,li, . . . , /fc_i). 

3.2 Corresponder Graph Satisfiability 

For completeness we define the Post correspondence prob- 
lem, PCP {'17, ppl83). 

Definition 33 A PCP instance is a sequence of pairs of 
nonempty words: 

{vo,Wo), {vi,Wl), . . . , {Vm-l,Wm-l) 

A solution for a PCP instance is a sequence 

to,ti, . . . , tk-l 

such that 

VtgVti . . . Vt^_^ = WtgWt, . . . Wt^_i 

|22| contains the proof for the following theorem. 

Theorem 34 The following problem is undecidable: given 
a PCP instance, does it have a solution. 

We will use the following proposition to establish undecid- 
ability of graph implication. 

Proposition 35 Satisfiability of graphs over the class of 
corresponder graphs is undecidable. 

Proof. We give a reduction from PCP. Let m > 2 and let 

(vOyWo), {vi,Wl), . . . , {Vm~l,1Vm-l) 

be an instance of PCP where Vi, Wi are nonempty words. 
Introduce names and for letters in words Vi,Wi: 

Vi = vfv} . . . v^^~^ < j < m — 1 
Wi — Wiw} . . . w''~^ < j < m — 1 

where pi = \vi\ and qi = \wi\. We construct a graph G such 
that there exists a corresponder graph Go with the property 
Go — > G iff the PCP instance has a solution. 

Figure 3] illustrates how a corresponder graph Go with a 
homomorphism from Go to G encodes a solution of the PCP 
instance {c,bc), {ab,a). 

Let 

G = (V, Si, S2, null, root) 
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Figure 3: An Example Corresponder Graph (fc = 2, n = 3) 




Figure 4: Corresponder Graph with a Homomorphism Encoding a Solution of (c, 6c), {ab,a} 



9 



Define the components of G are as follows. For every pair 
of words (vi,Wi) introduce two nodes C2i,C2i+i G V. These 
nodes will summarize C-nodes of a corresponder grajah. For 
every position vl of the word Vi introduce nodes a^^''^ and 
o^^"*"^'" and for every position wl introduce nodes 6^^'° and 
h'l^'^^'^ . The a-nodes will summarize L'^-nodcs and the b- 
nodes will summarize the L-nodes of the corresponder graph. 
Introduce also the additional nodes to encode the infor- 
mation that a^^'° node has an incoming edge from a c-node. 
As we will see below, the 6^^'^ nodes have S2 pointing to root 
as opposed to null, which ensures that every a^'" node has 
an incoming edge from a c-node. For analogous reasons we 
introduce a^^~^^'^ nodes. Let 

V = {null, root} 

U {co, Cl, . . . , C2,n-l} 

U {ai'° \0 < i<rn;0 < J <2pi} 
U I < i < m;0 < j < 2gi} 

U {6f'M0<i<m;0< j<gi} 

U {of +^'^ I < i < m; < j < Pi} 



Define si graph edges as follows. 

The Ci nodes are connected into a list that begins with 

root and every C2i is followed by C2i+i. The pairs C2i,C2i+i 
for different i can repeat in the list any number of times 
and in arbitrary order. This list will encode a PCP instance 
solution. 

The nodes representing word positions are linked in the 
order in which they appear in the word. The last position 
in a word can be followed by the first position of any other 
word, or by null. The nodes for the Vi words and the nodes 
for the Wi words form disjoint lists along the si edges. 

si = {(root, C2i) I < i < m} 
U {(c2i,C2i+i> I < i < m} 
U {(c2i+i,C2j) I < i,j < m} 
U{(c2i+i,null) \ 0<i <m} 

U {(af'°, \ 0<i<m;0<j <pi;a€{0, 1}} 

U {(of +1'", o?^+2'°> I < i < m; < j < Pi - 1; 

a G {0, 1}} 

U{(af'-''",4''") I < i,j <m;ae {0,1}} 

U {(of null) I < i < m;a e {0, 1}} 

U {(6?^'°, fe?^+''°> I < i < m; < j < g,; Q e {0, 1}} 

U {(6f +^'», b^/+'n I < i < m; < j < gi - 1; 

QG {0,1}} 
U{(6^-^'°,6°'«) \0<i,j <m;a€ {0,1}} 
U {(6?"'"''°, null) |0<i<m} 



We define S2 graph edges as follows. 

Every Cj edge points to the position at the beginning of 
the word. Even numbered nodes point to the o°-positions; 
odd numbered nodes point to 6^-positions. 



The Gi and bj word positions arc connected so that an 
o-node points to a 6-node for even indices, whereas a 6-node 
points to an o-node for odd indices. 

S2 = {(root, null)} 

U{(c2i,o°'°) |0<i<m} 
U{(c2i+i,6j'°) \ 0<i<m} 

U {{a°'°,bf''') \ < i,k < m;0 < l< qk;vf = wi} 
U {(o?''°, bf'°) \ < i,k < m;0 < j < pi;0 < l< qk-, 
v{ = wi} 

U {(fefc null) I < fc < m; < Z < (?fe} 

U {(6^''\root) \ 0<k<m;0<l<qk} 

U {{bl'°, a^J+''^) \ 0<i,k<m;0<j<p,;v{= wi} 

U {(6fe of +'■") \ 0<i,k<m;0<j <pi; 

0<l < qk;vl = wi} 
U {(of +^'°, null) I < i < m; < i < p,} 
U {(of +^'\ root) I < i < m; < J < p,} 

This completes the definition of G. 

Claim 36 The PCP instance has a solution iff there exists 
a corresponder graph Go such that Go — »■ G. 

(=^) : Assume that the PCP instance has a solution 
to,ti, . . . ,tk-i- Then 



VtoVti . 

Let Mo = ^0 = 0, 

n = 

Mi+l = 
^i+l = 



■ WtgWtl 



k-1 
j=0 

j=0 

j=0 



0<i<k-l 



Q<i<k-1 



and let 



Go = CG(n, fe, Wl, . . .,Uk-i,li, ■ ■ ■ ,lk-i) 



be a corresponder graph. We construct a homomorphism 
h from Go to G as follows. We map G-nodes of Go into 
c-nodes of G: 



h{C2j) 
h{C2j+l) 



= C2tj , 
= C2tj+1, 



0<j<k 
0<j<k 



For < / < n, let du{f) denote the largest index i such 
that Ui < f. Wc map the f/-nodes into a nodes as follows. 
Consider a node U2f. Let i = d{f). Then U2f is the even 
node that represents the letter v{~"' of the word Vi: 



KU2f) = of 



du{f), < / < n 
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The mapping of C/2/+1 is similar. In this case we also encode 
the information whether I/2/+1 has an S2-edge from a C- 
node. 

U2f+i = ^ ^ ^^^^^^ < / < n 

where 



1, /G{Zo,/i,...,Zfc_i} 
0, otherwise 



The mapping of L-nodes is analogous. Let di{f) denote the 
largest index i such that U < f. Then 



L2f+r = 62(/-".)+i,o^ i ^ < / < n 

[/2/ = feP— i = d4/), 0</<n 



where 



1, / G {uo,ui,. . . ,Uk-i} 
0, otherwise 



It is straightforward to verify that h is indeed a homomor- 
phism. 

(<;^) : Assume that Go — » G where 

Go = CG(n, fc, Ml, . . . ,itfc_i,/i, . . . ,Zfc_i) 

is a corresponder graph and /i is a homomorphism from Go 
to G. Because in graph G all paths given by the regular 
expression 1* lead to Ci-nodes or null, we conclude that each 
Cj node is mapped to some d node. For < j < fc we define 

tj = i iS h{C2j) = C2i 

From the properties of homomorphism we derive 

tj = i iff h{C2j+i) = C2,+i 

We will show that tj is a solution of the PCP instance. Let 

uo = lo = and u„+i = In+i = n. Let 



r(a: 



2j+l,a 



and h' — T o h. By construction of S2 in G we have 
h'{U2j) = /i'((72,+i) = /i'(L2j) = h'{L2j+i) 
for < j < 71. To prove 

Ut0«ti • • • = Wto Wti . . . Wt^_^ 

it therefore suffices to show 

= /l'((72„^.)ft'(C/2{., + l)).../l'(f/2(„, + ,-l)) (4) 
Wtj = /l'(i2ij + l)/i'(L2(;^. + i) + l)...ft'(L2(ij + i-l) + l) (5) 

for < j < k. Let = i. Then h{C2j) = C2i. We have 
(G2j, U2uj) G S2 in the corresponder graph Go- On the other 
hand, {c2i,a^''^) G S2 is the only S2-outgoing edge of C2i in 
G. Therefore, /i((72u,) = a°-° . From this, we first conclude 
so h'{U2uj) = t'i'. Next, by construction of si edges of G 
and Go we get 

HU2{u^+i)) = al° 



To establish ||1J it suffices to show Uj + pi — u_,+i. To see 
that the equality holds, suppose first Uj + pi > Uj+i. Then 
h{U2uj_i_i) ~ ^i^'*^ where / > 0. Because /i is a homomor- 
phism, following S2 edge once we conclude /i(L2uj+i) ~ &g'"'° 
for some g and following S2 for the second time we obtain the 
contradiction because in corresponder graph S2(I/2uj + i) = 
root but in G we have S2{h'^^'^) = null. Similarly, sup- 
pose now Uj + Pi < Uj+x. Then sx{U2(uj+p,~i)) / null, 
so let (72{uj+p,) = si(si(f/2(„^.+p^_i))). Because Uj Pi ^ 
{uo, . . . ,Ufe-i}, we get 

S2{s2{U2(uj+Pi))) = null 

On the other hand, h{U2{uj+Pi)) ~ '^z" ^'-'^ some /, so 

S2{s2{h{U2(uj+p,)))) = root 

which is again a contradiction. Therefore Uj + Pi = Wj+i. 
Showing is analogous. We conclude that to, ■ . ■ ,tk-i is 
a solution for PCP instance. 

Our claim is therefore true and satisfiability over corre- 
sponder graphs is undecidable. ■ 

3.3 Defining Corresponder Graphs 

In this section construct graphs P and Q such that 



Go (P A -.Q) 



(6) 



iff Go is a corresponder graph. 

When presenting the graphs P, Qo, ■ ■ ■ , Qie we use the 
following conventions. We use the label r to denote the root 
of the graph. We label the edges of the relation si relation 
by 1 and the edges of S2 by 2. Note that if a node has no 
outgoing edges, it would be useless in the graph in terms 
of specifying a set of models Go. Every graph node will 
therefore have at least one outgoing edge for every label. 
However, in order to make the graph sketches clearer, if a 
node X has an outgoing edge with label a to every node in 
the graph, we will simply omit all a edges of node x from 
the sketch. In particular, if a node has no outgoing edges 
in the graph sketch, it means that its outgoing edges are 
unconstrained. A double-headed arrow from node x to node 
y with label a denotes two single arrows, one from x to 
y and one from y to x, both labeled with a. We do not 
show the edge (root, null) G S2 that is always present in an 
orable graph. We also do not show the edges originating 
from null. We will be free to display null several times in 
the same picture, all these occurrences denote to the unique 
root node in the graph. 

The graph P in Figure is our first approximation of a 
corresponder graph. Unfortunately, P allows some models 
that are not corresponder graphs, such as the example in 
Figure |S| This is why we introduce the graph Q. The graph 
Q appears in Q negated and we design it to contain models 
of P that are not corresponder graphs. 
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Figure 7: Graph Qo 



h{U2iuj+pi-\)) = 



2(pi-l),0 
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Figure 8: Graph Qi 




Figure 12: Graph Qs 
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□ 



Figure 9: Graph Q2 



□ 



Figure 10; Graph Q3 
























Figure 11: Graph Q4 




Figure 13; Graph Qe 

We construct Q as a sum of orable graphs: 
Q = Qo + Qi + ■ ■ ■ + Q16 

The idea behind the construction of these graphs comes from 
the proof of Proposition 1371 we now give only an informal 
overview of the graphs. The graphs Qo (Figure Qi (Fig- 
ure m, Q2 (Figure ill, and Q3 (Figure lion eliminate certain 
cycles from the set of models of P. The graphs Q4 (Fig- 
ureETJ, Qs (FigureEUl, Qe f Figure and Q9 (Figured 
ensure that different paths in the graph lead to the same ob- 
ject. The graphs Qr (Figure [TH and Qs (Figure [T^ ensure 
that there is the same number of U and L-nodes in a model 
of P. The graphs Qio (Figure [TTIl and Qn (Figure ITHl en- 
sure that U 01 L nodes have an S2 edge to root iff the U or 
L node in the same column has an S2-edge from a C-node. 
The graphs Q12 (Figure lT^ and Q13 (Figure l^Dll ensure that 
a C-node that is later in the C-list has an edge to a node 
that is later in the U or L list. Finally, graphs Q14 (Fig- 
ure Qis (Figure and Qu, (Figure ensure that 
C-nodes have S2 edges only to U and L-nodes, and that an 
L OT U node can only have an edge to root, null, a (7-node, 
or an L-node. 

We can now show the key step in the undecidability proof 
for the implication of graph constraints. 

Proposition 37 

Go ^ (P A -.Q) (7) 
iff Go is a corresponder graph. 
Proof. (";=) : Let Go be a corresponder graph 
Go — CG{n,k,ui, . . . , uk-i,li, . . . , h-i) 
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Figure 16; Graph Qg 




Figure 17: Graph Qio 




Figure 18: Graph Qn 



We show that Go P and for all < i < 16, it is not the 
case that Go Qi- 

(Go P) : Define homomorphism h from Go to P as 
follows. 



i>'\^0 ) 


— Co 


h{Ci) 


= Ci 




= C2 




= C3 


h(Un) 


— do 


h{Ui) 


= ai 


HU2J+2) 


- { 


HU2J+3) 


- { 


h{Lo) 


= feo 


h{Li) 




h{L2j+2) 




h{L2j+3) 





< i < fc 
< j < fc 



"2, 

a4, 



13, 
"5, 



62, 
64, 



j + lG{ui, 
otherwise 

j + lG^i,. 
otherwise 



i + 1 G 
otherwise 



63, i + lG^i, 
65 , otherwise 



,Mfe-l} 



It is straightforward to verify that h is indeed a homomor- 
phism, so Go — > -P. 

Go Qo) : Apply Proposition 1181 with e — 1* . 
Go Qi) ■■ Apply Proposition CHI with e = 121*. 
Go Q2) ■■ Apply Proposition [THl with e = 1221*. 
Go ^ Qs) ■■ Apply Proposition CHI with e = 12(21)*. 
Go ^ Q4) : Suppose h is & homomorphism from Go 
to Q4. By mapping the path 

root, l,Go,2,C/o,l,?7i 

we conclude h{Ui) — ai. By mapping the path 

root, 1, Go, 2, Uo, 2, io, 1, Li, 2, Ui 

we conclude h{U\) — a2, which is a contradiction. 

(^ Go — > Qs) : Suppose /i is a homomorphism from Go 
to Q5. By mapping the slice in 121* with h we conclude 
that there exists a node Uj in Go such that h{Uj) = ao- 
Now as in the previous case we get that h{Uj+i) = ai and 
h(Uj+i) — 02, which is a contradiction. 

(^ Go Qe) : Similarly to the previous case, map the 
slice in 1221* to conclude that for some node Lj we have 



bo and then obtain a contradiction. 



(^ Go — > Q7) : Similarly to the previous cases, suppose 
/i is a homomorphism from Go to Qr. By mapping the 
slice in 1221* via h, we conclude that there exists a node 
Lj in Go such that h{Lj) = bo- By construction of Q7 
it must be si(Lj) = null. Furthermore, h{Uj) = ao and 
si{Uj) 7^ null. This is a contradiction with the fact that Go 
is a corresponder graph. 

(^ Go — * Qs) : This fact is analogous to the previous 
one. 

(^ Go Qg) : Suppose h is & homomorphism from Go 
to Qg. As in the case -1 Go ^ Q4 we conclude h{Li) = 61 
and h{Li) = 62, a contradiction. 

(-1 Go Qw) ■ Suppose h is a homomorphism from 
Go to Qio. As in case Go — > Qsi for some node Uj in 
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Go wo have h(Uj) — ao. Next it follows h(Lj) — bo and 
S2{Lj) = root, which implies j — 2ur where < r < k. 
Therefore S2{C2r) = Uj. But this is in contradiction with 
the fact that h{Uj) = ao and ao has no incoming S2-edges 
in Qio- 

(-> Go — » Qii) : This case is analogous to the previous 
one. 

(-1 Go Q12) ■ Suppose /i is a homomorphism from Gq 
to Qu). By mapping the slice in 1* from Go to G we conclude 
that there exists a node C2j in Go such that h(C2j) = C2 
and a node C2i where i > j + 2 such that h{C2i) = Cq. Since 
S2(c2) = oo, we conclude h{U2uj) = ao- By mapping the 
path 

U2j, 1, U2j+i,l, U2j+2, 1, . . . , 1, null 

with homomorphism h, we conclude that there exists be 
some {/-node with even index that is mapped to 04. So let 
U2{uA+t) be such node with the least index. Then 



h{U. 



and 



for 1 < r < t 

S2{L2(uj+r)) = 

1 < r < t, SO u 



h(U2(Uj+r)] 

1 < r < t. 



= 04 



■ a2 



(8) 



2(uj+r), 



= bo SO 



Let 1 < r < t. Then h{L 
null, which means that Uj + r < Uj+i for all 
,j +t < Uj+i < Ui. Therefore 



S2(G2i) 7^ U2(uj+t) 

/i is a homomorphism and h{C2i) = ce, so 

h{U2ui) = CLi 



(9) 



The corresponder graph Go contains a path in 1* from 
U2{uj+t) to U2ui where U2{uj+t) and U2ui are distinct nodes 
because Uj + f. < ut. Because h{U2(uj+t)) = h{U2ui) = 04, 
there exists a cyclic si-path from 04 to 04 in Q12, a contra- 
diction with the definition of Qi2- 

Go Qis) '■ This case is analogous to the previous 

one. 

Go Q14) ■ Suppose h is a homomorphism from Go 
to Q14. Then h{Ci) = C2 for some i. Let S — S2(Ci). Then 
S = Uj or S = Lj for some j and h{S) = a2. On the other 
hand, by mapping the slices 121* and 1221*, we conclude 
that all t/-nodes are mapped to ao and oi whereas all L- 
nodes are mapped to 60 and 61 . This is a contradiction with 
h{S) = aa. 

Go Q15) : Suppose /i is a homomorphism from Go 
to Qir,. Then for some node Lj we have h{Lj) = 62 and 
therefore h{Uj) — a2. On the other hand by mapping the 
slice 121* we conclude that all f7-nodes are mapped to oo 
and oi, which is a contradiction. 

(-1 Go — > Qie) '■ This case is analogous to the previous 
one. 

(=^) : Let 

Go = (V, si, S2, null, root) 



Assume that Go — > P and for all < i < 16 it is not the 
case that Go 
graph. Let 



Qi. We will show that Go is a corresponder 
Co = si(root) 



Gi = 
G2 = 



si(Go) 
si(Gi) 




Figure 21: Graph (5i4 






1 


b, 


1 


b2 


bo 












\ 





Figure 22: Graph Qis 



Then for all Gi > we have d 7^ root, because Go P. 

We claim that there rrmst exist t such that Ct = null and 
Gt-i 7^ null. Suppose the claim is false. Because the graph 
is finite, the nodes d form a cycle with si edges: there exist 
ii,i2 such that < ii < 12, Ci^ = Ci^ and Ci^ ^ null. We 
can then show Go — > Qo, a contradiction. 

Let t be the smallest index such that Ct = null. Then 
t = 2k for some A; > 2 because Go — > P. The nodes 
root, null, Go, . . . , G2fc-i are all distinct. 




Figure 23: Graph Qie 
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Next, consider the sequence 

Uo = S2(Co) 

Ui = si(C/o) 
U2 = si(l7i) 

Because Go —> Qi and Go ^ P there must exist some ni 
such that [72711 = null and 

i {null, root} U {Co,..., C2fc~i} 
U{t/o,...,;7i-i} 

for < i < 2n\. Because -iGo (52 and Go — * -P, consid- 
ering the sequence 

io = S2([7o) 

Li = s\{Lo) 
Li = si(Li) 

we conclude there must exist ni such that -L2n2 = null and 

L, ^ {null, root} U {Co,..., C2fc-i} 
U{f/a,...,f/2„i-i} 
U{ia,...,L.-i} 

for < i < 2n2 . Let 

Vo = {null, root} U {Co,..., C2fc-i} 

U{(7o,...,[/2„i-l} 
U {Lo, . . . , L2n2-l} 

Figure l^ shows the shape of the portion of Go identified so 
far. By construction, 

silVo] C Vo 

In the sequel we will show that S2 [Vo] C Vo holds as well. By 
definition of heap, all nodes in Go are reachable from root, 
which will imply V\Vo = 0. We will also show that ni = ni 
and that Go satisfies the invariants that make it isomorphic 
to a corresponder graph. 

We first observe that S2(Ci) = Li. Indeed, suppose that 
S2(Ci) 7^ Li. From Go ^ P follows S2(Ci) ^ {null, root}. 
We can then show Go ^ Q9, which is a contradiction. 

We now show that the si edges between [/-nodes and 
L-nodes form a (2 x n)-grid where n — ni = ni- First we 
observe 82(^1) = Ui, otherwise we would have Go — > Q4. 
Next we claim that every non-null si edge originating from 
a [/-node terminates at an L-node. Suppose siiUj) is not 
an i-node. It cannot be a C-node or a [/-node because 
Go — > -P. The only remaining possibility is that S2{Uj) is 
a node outside Vo- But then Go — > Qie, a contradiction. 
Similarly, because -1 Go ^ Q15, every non-null si edge of 
an L-node terminates at a [/-node. Finally, we claim that 
for all j > 0, either Uij = Lij — null, or all of the following 
holds: 



• siiUij) = Lij 

• S2{L2j+l) — Ulj+l 

We have already established the claim for j — 0. Suppose 
the claim does not hold for all j. Consider the least j > 
for which the claim does not hold. Then one of the nodes 
U2j, Lij is not null. Assume U2j 7^ null and L2j = null. 
Then Go Q7, a contradiction. Similarly, if U2j = null 
and L2j 7^ null, then Go Qs, again a contradiction. So 
U2j 7^ null and L2j 7^ null. Then from Go —* P follows 
Uij+i 7^ null and 1/2 j 7^ null. From the previous discussion 
and Go ^ P we conclude 

S2([/2j) = Lli 

for some i > 0. We want to show i = j. Suppose i < j. 
Then there is a cycle p starting at Uo such that word(p) £ 
(21)*. But then Go — » Qs, a contradiction. Now suppose 
i > j. Then Go ^ Qe, a contradiction. Therefore i — j and 
S2{U2j) = L2j. We similarly establish 52(^2^4-1) = Uij+i 
using the fact Go ^ Qs- This establishes our claim for all 
j > 0. We conclude that ni — ni and U and L-nodes are 
linked as in Figure 1^ 

We next consider S2-edges of C-nodes and find the values 
iti, . . . and li, - - - ,lk-i- First we show that S2(C2j) is 

a [/-node for < j < fe. Suppose S2(C2j) is not a [/-node. 
Because Go — > P, we conclude S2(C2j) ^ Vo- But then 
Go — > Qi4, a contradiction. We similarly establish from 
Go — > P and -iGo — > Q14 that S2(C2j-i-i) is an L-node for 
< j < fe. From Go -> P it follows that S2(C2j) = U2i for 
some i and S2(C2j+i) — L2/+1 for some /. 

We can therefore define Uj and Ij such that 

S2(C2j) — U2uj 
S2(C2j+l) = Ullj+l 

for < j < fc. 
We next show 



S2(L 



2jj 



root iff 3i S2(C2i 



U2, 



From Go ^ P we have S2(L2j) G {null, root}. Moreover, if 
S2(C2i) = Uij, then S2(L2j) = null. It remains to show that 
siiLij) = root implies S2(C2i) = U2j for some i- Suppose 
that S2(L2j) — root but Vi. S2(C2i) 7^ U2j- Then Go — » Qio, 
a contradiction. We similarly establish 



S2{U2j + l) = root iff 3i S2(C; 



2i-|-l 



2j+\ 



using -1 Go ^ Qii- 
We claim 

Uj < Uj + X 

for < j < fc — 1. Suppose the claim is false and let j be the 
smallest index for which Uj+\ < Uj- Let i be such that Ui is 
the largest among uo, - - - , Uk-i with the property Ui < Uj+i. 
Clearly < i < j — 1. Then there exists a homomorphism h 
from Go to Q12 such that h{U2ui) ~ '^0 and h{U2uj^i) ~ ^i- 
This is a contradiction with ^ Go — > Q12- We similarly 
conclude 

Ij < Ij+i 

for < j < — 1, using -1 Q13. 

Finally we observe that we have identified all S2-edges 
from Vo, so S2[Vo] C Vq- Therefore V\Vo = lD- We conclude 
that Go is isomorphic to 

CG(ni, fe,ui, . . . ,Ufe_i, h, - - - , Ik-i) 



JII ^ {[/2j,L2j,[/2j + l,L2j + l} 
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KC^) ^(O) ^(G) WCJ)— ^ null 



Uo)-!-^(U?j-^-^(U^)-!-^(7j^-^-^(^^ null 



(U)-^-^(l1)—^-^(l^)-^-^(L3)-^-^^ null 



Figure 24: Graph Go after identifying the nodes 

>(C^ >(C^ U> null 



Uo)^-^(u?)-^-^>(u^^-^Oj^)—!-^^ mill 



z z z 

@— ^^(l^)— 



null 



Figure 25: Graph Go after establishing S2 edges between U and L-nodes 



3.4 The Undecidability Result 

Theorem 38 The implication of graphs is undecidable over 
the class of heaps. 

Proof. We will reduce satisfiability of graphs over 

the class of corresponder graphs to the problem of find- 
ing a counterexample to an implication of graphs over the 
class of heaps. Given the reduction in Proposition 1351 this 
will establish that the implication of graphs is Turing co- 
recognizable and undecidable. 

Let G be a graph. Consider the implication 



(G X P) 



(10) 



We claim that Go is a counterexample for this implication 
iff Go is a corresponder graph such that Go — > G. 

Assume that Go is a corresponder graph and Go G. 
By Proposition 1371 we have Go ^ P and -iGo Q- We 
then have Go ^ (G x P). Since -iGo Q, we conclude that 
Go is a counterexample for llOt . 

Assume now that Go is a counterexample for IjlOfl . Then 
Go ^ G X P and ^Go Q. Since Go -* P and ^Go -> Q, 
by Proposition 1371 we conclude that Go is a corresponder 
graph. Furthermore, Go ^ G. ■ 



3.5 Discussion 

In this section we give comments on our proof of the unde- 
cidability of implication and state some implications of this 
result for checking properties of programs. 



3.5.1 Graph Equivalence and Negation 

Definition 39 We say that graphs Gi and G2 are equiva- 
lent over the class of graphs C and write 



Gi 



G2 



for every 



Go Gi iff Go 
Go G C. 



G2 



Proposition 40 Equivalence of graphs over the class of 
heaps is undecidable. 

Proof. From Proposition 1251 we have 

Gi G2 

iff 

Gi ~7i Gi X G2 

The result then follows from Proposition 1381 ■ 

We also observe that regular graph constraints over 
heaps are not closed under the negation. Indeed, assume 
that for every graph G there exists a graph G such that the 
heap models of G are all heaps that are not models of G. 
Then finding a counterexample to an implication P ~>-h Q 
is reduced to satisfiability of the graph 

P X G 

This is a contradiction because Proposition 1231 implies that 
satisfiability over heaps is decidable whereas Proposition 1381 
implies that finding a counterexample to P Q is unde- 
cidable. 



18 



3.5.2 Implication of Acyclic Heaps 

Corresponder graphs are a cyclic subclass of the class of 
heaps. The cyclicity, however, is not at all essential for our 
construction. We argue that implication of graphs is also 
undecidable over the class of acyclic heaps. We can define 
a minor variation of corresponder graphs where U and L 
nodes never point back to root. Instead, we introduce a 
special node different from null to indicate the difference 
between columns j for 

j e {iti, . . . ,Uk-i} U {h, . . . ,lk-ii 

and the remaining columns. The resulting graphs are acyclic 
heaps. As a result, we have the following fact. 

Proposition 41 Implication of graphs is undecidable over 
the class of acyclic heaps. 

3.5.3 Alternative Proofs 

An alternative way to prove undecidability would be to show 
that conjunction of regular graph constraints and their nega- 
tions can express graphs similar to grids (instead of corre- 
sponder graphs) . While the construction using grids may be 
possible, we have found the construction using correspon- 
der graphs to be simpler. The reason is that corresponder 
graphs, unlike grids, are essentially one-dimensional struc- 
tures. 

Our proof of Proposition 1371 could potentially be simpli- 
fied by showing that a larger fragment of MSOL can be writ- 
ten in the form of negation of an implication of graphs. We 
consider formulas that can be reduced to checking negation 
of an implication between graphs. Let a literal be a formula 
constructed from an orable graph as in Section [2.51 Define 
a homogeneous clause as a disjunction of positive literals: 

C» = A^' V ■ ■ ■ V A^' 

or a disjunction of negative literals: 

A = (-B?)V---V(^Br) 
Then any conjunction of positive and negative clauses 

Co A ■ ■ ■ A Cr,-i A Do A ■ ■ ■ A Dm-i 

is expressible as a negation of implication of graph con- 
straints. This fragment appears quite expressive, but we 
have not been able to obtain a characterization of the frag- 
ment that allows a natural encoding a subclass like grids or 
corresponder graphs in a way simpler than in ProDosition l87l 

3.5.4 Consequences for Program Checking 

Implication of graphs arises if procedure specifications are 
regular graph constraints. 

Example 42 Consider a procedure p whose precondition 
is that the program heap is homomorphic to a graph Gi 
and a procedure q whose precondition is that the program 
heap is homomorphic to a graph G2 (Figure I^HJ- If the first 
statement in the body of p is a call to qi), a program checker 
must ensure that implication G\ G2 holds. 



procedure p{) 

pre Gi 

{ 

} 

procedure g() 

pre G2 

{ 

} 

Figure 26: Program Checking Requires Gi G2 




Figure 27: Ensuring an invariant requires implication 



♦ 

We next show that the implication problem also arises when 
maintaining an invariant at every program point, if the in- 
variant is a regular graph constraint. Let 

G^ — (V^, Si, S2, null, root^) 

G^ = {V^ , sf , si, null, root^) 

be orable graphs such that there are no edges from nodes 

to root^ and no edges from nodes V'^ to root^. 
Construct the graph G (Figure l?7ll as 

G — {V, si, S2, null, root) 

where 

V = {root, a, 6} U U 

si = {(root, a), (root, 6), (a, root""^), (b, root'^)} 

U si U si 
S2 = {(root, null), (a, root), (6, null)} 

U S2 U si 

and where 

{root, a, 6} n (V' U 1/^) = 

Suppose that we have a program checking system that ver- 
ifies that a graph constraint is true after every statement. 
Consider the statement 

root. 1.2 := null (11) 

Let 

ryO /irO ||0 ^0\ 

G = {V ,Si,S2,null , root ) 
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be the graph before the statement. After the statement the 
resuhing graph is 

^1 ;,,0 1 ,,0 .Ov 

G — {V , Si, S2, null , root ) 

where the value of 2-edge from x has changed so that it 
points to null: 

si = S2[x ■— root] 

Our program checking system needs to verify that for all 
heaps Go, 

(G° ^ G) implies (G' ^ G) (12) 

Let h a homomorphism from G*^ to G. Let x — 
s?(s;(root°)). Then 

h(x) — root^ 

or 

h{x) = root'^ 

Moreover, root^ and root^ are reachable only through the 
path root", 1, a, 1, so no nodes other than x may be mapped 
to root^ or root'^. We can therefore show that the implica- 
tion 1121 1 is equivalent to 

Gi Gz (13) 

As explained in Section 13.5.21 we can modify the construc- 
tion in the proof of Proposition l37l such that P and Q have no 
edges terminating at root. We then let = P and G^ = Q. 
From the undecidability of the implication of graphs over the 
domain of heaps it follows that maintaining an invariant ex- 
pressed as a regular graph constraint is undecidable, even 
across a simple assignment statement such as Ijll^ . 

4 Related Work 

The idea of typestate as system for statically verifying 
changing properties of objects was proposed in |25| and ex- 
tended in 2 1 . The original typestate system as well as 
the more recent work in the context object oriented pro- 
gramming do not support constraints over dynamically 
allocated objects, which is the focus of our paper. 

Several recent systems support tree-like dynamically al- 
located data structures |23l 1281 151 118| . The restriction to 
tree- like data structures is in contrast to our notion of heap, 
which allows cycles. The presence of non-tree data struc- 
tures is one of the key factors that make the implication of 
regular graph constraints undecidable. 

The idea of representing properties of a statically un- 
bounded number of heaps by homomorphically mapping 
them to a bounded family of graphs is pervasive in the work 
on shape analysis 16 2] 1111 1191 12UI . These analyses use 
abstractions that capture approximate properties of data 
structures even if they are not tree-like. This feature of 
shape analyses makes our results directly applicable. Our 
undecidability result implies inability to semantically check 
implication or equivalence of such abstractions. 

Shape analysis techniques were applied to a typestate 
checking problem in role analysis |14| . The compositional- 
ity of the analysis and the presence of procedure specifica- 
tions made the need for solving the implication of constraints 
in |14) explicit. The algorithm pHl uses "context matching" 
as a decidable approximation for the implication of con- 
straints. In ^TBl it was suggested that the implication prob- 
lem for role constraints is undecidable. The argument makes 



use of acyclicity constraints as well as the constraints on the 
number of incoming edges of a node. In the present paper, 
we have shown that undecidability holds even for the regu- 
lar graph constraints, which cannot directly specify acyclic- 
ity or the number of incoming edges of a node. This makes 
the present undecidability result strictly stronger than the 
result in 1131 . 

We were pleased to discover that the constraints derived 
as a simplification of role analysis constraints generalize the 
notions of tree automat a I27l l^ and a whole family of equiva- 
lent systems over grids |12| . The remarkable fact that MSOL 
over trees is equivalent to tree automata inspired the ques- 
tion which classes of graphs have decidable MSOL theory [1]. 
In this paper we have introduced regular graph constraints 
which can be seen as a alternative to MSOL in generalizing 
projections of local properties over trees and grids. Although 
regular graph constraints are strictly weaker than MSOL 
(and in fact the satisfiability of regular graph constraints is 
decidable over heaps), we have shown that the implication 
for regular graph constraints over heaps is undecidable. 

5 Conclusion 

We have proposed regular graph constraints as an abstrac- 
tion of mutually recursive properties of objects in poten- 
tially cyclic graphs. We presented some evidence that regu- 
lar graph constraints are a natural generalization of the tree 
automata and domino systems. We have shown that sat- 
isfiability of regular graph constraints is decidable over the 
domain of heaps. As a main result, we have shown that the 
implication of regular graph constraints is undecidable. The 
consequence of this result is that verifying that procedure 
preconditions are satisfied as well as maintaining program 
invariants is undecidable if these properties are expressed as 
regular graph constraints. 

We have seen that decidability of problems with regular 
constraints is sensitive to the choice of the class of graphs. In 
particular, a smaller class of graphs need not imply better 
decidability properties. This indicates that techniques for 
reasoning about different classes of graphs may be substan- 
tially different. We conclude that a good support for mech- 
anized reasoning about data structures would likely contain 
a set of specialized reasoning techniques for different classes 
of graphs. 
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